Consumer views and news since 2007 about identity theft, privacy, and corporate responsibility -- by George Jenkins

112 posts categorized "Identity Protection"

Today's children often use mobile devices at very young ages... four, five, or six years of age. And they don't know anything about online dangers: computer viruses, stalking, cyber-bullying, identity theft, phishing scams, ransomware, and more. Nor do they know how to read terms-of-use and privacy policies. It is parents' responsibility to teach them.

"1. Set an example: If you want your kid to be careful and responsible online, you should start with yourself."

Children watch their parents. If you practice good online safety habits, they will learn from watching you. And:

"2. Start talking to your kid early and do it often: If your child already knows how to play a video on Youtube or is able to download a gaming app without your help, they also should learn how to do it safely. Therefore, it’s important to start explaining the basics of privacy and cybersecurity at an early age."

So, long before having the "sex talk" with your children, parents should have the online safety talk. Developing good online safety habits at a young age will help children throughout their lives; especially as adults:

You wouldn't give this information to a stranger on a city street. The same applies online. That also means discussing social media:

"4. Social media and messaging: a) don’t accept friend requests from people you don’t know; b) never send your pictures to strangers; c) make sure only your friends can see what you post on Facebook; d) turn on timeline review to check posts you are tagged in before they appear on your Facebook timeline; e) if someone asks you for some personal information, always tell your parents; f) don’t share too much on your profile (e.g., home address, phone number, current location); and g) don’t use your social media logins to authorize apps."

[Editor's note: today's guest post, by reporters at ProPublica, discusses data brokers you may not know, the data collected and archived about consumers, and options for consumers to (re)gain as much privacy as possible. It is reprinted with permission.]

Cambridge Analytica thinks that I’m a "Very Unlikely Republican." Another political data firm, ALC Digital, has concluded I’m a "Socially Conservative," Republican, "Boomer Voter." In fact, I’m a 27-year-old millennial with no set party allegiance.

For all the fanfare, the burgeoning field of mining our personal data remains an inexact art.

One thing is certain: My personal data, and likely yours, is in more hands than ever. Tech firms, data brokers and political consultants build profiles of what they know — or think they can reasonably guess — about your purchasing habits, personality, hobbies and even what political issues you care about.

You can find out what those companies know about you but be prepared to be stubborn. Very stubborn. To demonstrate how this works, we’ve chosen a couple of representative companies from three major categories: data brokers, big tech firms and political data consultants.

Few of them make it easy. Some will show you on their websites, others will make you ask for your digital profile via the U.S. mail. And then there’s Cambridge Analytica, the controversial Trump campaign vendor that has come under intense fire in light of a report in the British newspaper The Observer and in The New York Times that the company used improperly obtained data from Facebook to help build voter profiles.

To find out what the chaps at the British data firm have on you, you’re going to need both stamps and a "cheque."

Once you see your data, you’ll have a much better understanding of how this shadowy corner of the new economy works. You’ll see what seemingly personal information they know about you … and you’ll probably have some hypotheses about where this data is coming from. You’ll also probably see some predictions about who you are that are hilariously wrong.

And if you do obtain your data from any of these companies, please let us know your thoughts at politicaldata@propublica.org. We won’t share or publish what you say (unless you tell us that’s it’s OK).

Cambridge Analytica and Other Political Consultants

Making statistically informed guesses about Americans’ political beliefs and pet issues is a common business these days, with dozens of firms selling data to candidates and issue groups about the purported leanings of individual American voters.

Few of these firms have to give your data. But Cambridge Analytica is required to do so by an obscure European rule.

Cambridge Analytica:

Around the time of the 2016 election, Paul-Olivier Dehaye, a Belgian mathematician and founder of a website that helps people exercise their data protection rights called PersonalData.IO, approached me with an idea for a story. He flagged some of Cambridge Analytica’s claims about the power of its "psychographic" targeting capabilities and suggested that I demand my data from them.

So I sent off a request, following Dehaye’s coaching, and citing the UK Data Protection Act 1998, the British implementation of a little-known European Union data-protection law that grants individuals (even Americans) the rights to see the data Europeans companies compile about individuals.

It worked. I got back a spreadsheet of data about me. But it took months, cost ten pounds — and I had to give them a photo ID and two utility bills. Presumably they didn’t want my personal data falling into the wrong hands.

After you submit the form, the page will immediately request that you email to data.compliance@cambridgeanalytica.org a photo ID and two copies of your utility bills or bank statements, to prove your identity. This page will also include the company’s bank account details.

Find a way to send them 10 GBP. You can try wiring this from your bank, though it may cost you an additional $25 or so — or ask a friend in the UK to go to their bank and get a cashier’s check. Your American bank probably won’t let you write a GBP-denominated check. Two services I tried, Xoom and TransferWise, weren’t able to do it.

Eventually, Cambridge Analytica will email you a small Excel spreadsheet of information and a letter. You might have to wait a few weeks. Celeste LeCompte, ProPublica’s vice president of business development, requested her data on March 27 and still hasn’t received it.

Because the company is based in the United Kingdom, it had no choice but to fulfill my request. In recent weeks, the firm has come under intense fire after The New York Times and the British paper The Observer disclosed that it had used improperly obtained data from Facebook to build profiles of American voters. Facebook told me that data about me was likely transmitted to Cambridge Analytica because a person with whom I am "friends" on the social network had taken the now-infamous "This Is Your Digital Life" quiz. For what it’s worth, my data shows no sign of anything derived from Facebook.

What You Might Get Back From Cambridge Analytica:

Cambridge Analytica had generated 13 data points about my views: 10 political issues, ranked by importance; two guesses at my partisan leanings (one blank); and a guess at whether I would turn out in the 2016 general election.

They told me that the lower the rank, the higher the predicted importance of the issue to me.

Alongside that data labeled "models" were two other types of data that are run-of-the-mill and widely used by political consultants. One sheet of "core data" — that is, personal info, sliced and diced a few different ways, perhaps to be used more easily as parameters for a statistical model. It included my address, my electoral district, the census tract I live in and my date of birth.

The spreadsheet included a few rows of "election returns" — previous elections in New York State in which I had voted. (Intriguingly, Cambridge Analytica missed that I had voted in 2015’s snoozefest of a vote-for-five-of-these-five judicial election. It also didn’t know about elections in which I had voted in North Carolina, where I lived before I lived in New York.)

ALC Digital

ALC Digital is another data broker, which says that its info is "audiences are built from multi-sourced, verified information about an individual." Their data is distributed via Oracle Data Cloud, a service that lets advertisers target specific audience of people — like, perhaps, people who are Boomer Voters and also Republicans.

The firm brags in an Oracle document posted online about how hard it is to avoid their data collection efforts, saying, "It has no cookies to erase and can’t be ‘cleared.’ ALC Real World Data is rooted in reality, and doesn’t rely on inferences or faulty models."

How You Can Request Your Data From ALC Digital:

Here’s how to find the predictions about your political beliefs data in Oracle Data Cloud:

And not everyone appears to have data from ALC Digital, so don’t be shocked if you can’t find it. If you don’t, there may be other fascinating companies with data about who you are in your Oracle file.

What You Might Get Back From ALC Digital:

When I downloaded the data last year, it said I was "Socially Conservative," "Boomer Voter" — as well as a female voter and a tax reform supporter.

Recently, when I checked my data, those categories had disappeared entirely from my data. I had nothing from ALC Digital.

ALC Digital is not required to release this data. It is disclosed via the Oracle Data Cloud. Fran Green, the company’s president, said that Aristotle, a longtime political data company, “provides us with consumer data that populates these audiences.” She also said that “we do not claim to know people’s ‘beliefs.’”

Big Tech

Big tech firms like Google and Facebook tend to make their money by selling ads, so they build extensive profiles of their users’ interests and activities. They also depend on their users’ goodwill to keep us voluntarily giving them our locations, our browsing histories and plain ol’ lists of our friends and interests. (So far, these popular companies have not faced much regulation.) All three make it easy to download the data that they keep on you.

Firms like Google and Facebook firms don’t sell your data — because it’s their competitive advantage. Google’s privacy page screams in 72 point type: "We do not sell your personal information to anyone." As websites that we visit frequently, they sell access to our attention, so companies that want to reach you in particular can do so with these companies’ sites or other sites that feature their ads.

You’ll get an email immediately, and another one saying “Your Facebook download is ready” when your data is ready to be downloaded. You’ll get a notification on Facebook, too. Mine took just a few minutes.

Once you get that email, click the link, then click Download Archive. Then reenter your password, which will start a zip file downloading..

Unzip the folder; depending on your computer’s operating system, this might be called uncompressing or “expanding.” You’ll get a folder called something like “facebook-jeremybmerrill,” but, of course, with your username instead of mine.

Open the folder and double-click “index.htm” to open it in your web browser.

What You Might Get Back From Facebook

Facebook designed its archive to first show you your profile information. That’s all information you typed into Facebook and that you probably intended to be shared with your friends. It’s no surprise that Facebook knows what city I live in or what my AIM screen name was — I told Facebook those things so that my friends would know.

But it’s a bit of a surprise that they decided to feature a list of my ex-girlfriends — what they blandly termed "Previous Relationships" — so prominently.

As you dig deeper in your archive, you’ll find more information that you gave Facebook, but that you might not have expected the social network to keep hold of for years: if you’re me, that’s the Nickelback concert I apparently RSVPed to, posts about switching high schools and instant messages from my freshman year in college.

But finally, you’ll find the creepier information: what Facebook knows about you that you didn’t tell it, on the "Ads" page. You’ll find "Ads Topics" that Facebook decided you were interested in, like Housing, ESPN or the town of Ellijay, Georgia. And, you’ll find a list of advertisers who have obtained your contact information and uploaded it to Facebook, as part of a so-called Custom Audience of specific people to whom they want to show their ads.

You’ll find more of that creepy information on your Ads Preferences page. Despite Mark Zuckerberg telling Rep. Jerry McNerney, D-Calif., in a hearing earlier this month that “all of your information is included in your ‘download your information,’” my archive didn’t include that list of ad categories that can be used to target ads to me. (Some other types of information aren’t included in the download, like other people’s posts you’ve liked. Those are listed here, along with where to find them — which, for most, is in your Activity Log.)

This area may include Facebook’s guesses about who you are, boiled down from some of your activities. Most Americans’ will have a guess about their politics — Facebook says I’m a "moderate" about U.S. Politics — and some will have a guess about so-called "multicultural affinity," which Facebook insists is not a guess about your ethnicity, but rather what sorts of content "you are interested in or will respond well to." For instance, Facebook recently added that I have a "Multicultural Affinity: African American." (I’m white — though, because Facebook’s definition of "multicultural affinity" is so strange, it’s hard to tell if this is an error on Facebook’s part.)

Facebook also doesn’t include your browsing history — the subject of back-and-forths between Mark Zuckerberg and several members of Congress — it says it keeps that just long enough to boil it down into those “Ad Topics.”

For people without Facebook accounts, Facebook says to email datarequests@support.facebook.com or fill out an online form to download what Facebook knows about you. One puzzle here is how Facebook gathers data on people whose identities it may not know. It may know that a person using a phone from Atlanta, Georgia, has accessed a Facebook site and that the same person was last week in Austin, Texas, and before that Cincinnati, but it may not know that that person is me. It’s in principle difficult for the company to give the data it collects about logged-out users if it doesn’t know exactly who they are.

Google

Like Facebook, Google will give you a zip archive of your data. Google’s can be much bigger, because you might have stored gigabytes of files in Google Drive or years of emails in Gmail.

But like Facebook, Google does not provide its guesses about your interests, which it uses to target ads. Those guesses are available elsewhere.

You’ll have to pick which data you want to download and examine. You should definitely select My Activity, Location History and Searches. You may not want to download gigabytes of emails, if you use Gmail, since that uses a lot of space and may take a while. (That’s also information you shouldn’t be surprised that Google keeps — you left it with Gmail so that you could use Google’s search expertise to hold on to your emails. )

Google will present you with a few options for how to get your archive. The defaults are fine.

Within a few hours, you should get an email with the subject "Your Google data archive is ready." Click Download Archive and log in again. That should start the download of a file named something like "takeout-20180412T193535.zip."

Unzip the folder; depending on your computer’s operating system, this might be called uncompressing or “expanding.”

You’ll get a folder called Takeout. Open the file inside it called "index.html" in your web browser to explore your archive.

What You Might Get Back From Google:

Once you open the index.html file, you’ll see icons for the data you chose in step 2. Try exploring "Ads" under "My Activity" — you’ll see a list of times you saw Google Ads, including on apps on your phone.

Google also includes your search history, under "Searches" — in my case, going back to 2013. Google knows what I had forgotten: I Googled a bunch of dinosaurs around Valentine’s Day that year… And it’s not just web searches: the Sound Search history reminded me that at some point, I used that service to identify Natalie Imbruglia’s song "Torn."

Android phone users might want to check the "Android" folder: Google keeps a list of each app you’ve used on your phone.

Most of the data contained here are records of ways you’ve directly interacted with Google — and the company really does use the those to improve how their services work for me. I’m glad to see my searches auto-completed, for instance.

But the company also creates data about you: Visit the company’s Ads Settings page to see some of the “topics” Google guesses you’re interested in, and which it uses to personalize the ads you see. Those topics are fairly general — it knows I’m interested in “Politics” — but the company says it has more granular classifications that it doesn’t include on the list. Those more granular, hidden classifications are on various topics, from sports to vacations to politics, where Google does generate a guess whether some people are politically “left-leaning” or “right-leaning.”

Data Brokers

Here’s who really does sell your data. Data brokers like the credit reporting agency Experian and a firm named Epsilon.

These sometimes-shady firms are middlemen who buy your data from tracking firms, survey marketers and retailers, slice and dice the data into “segments,” then sell those on to advertisers.

Experian

Experian is best known as a credit reporting firm, but your credit cards aren’t all they keep track of. They told me that they “firmly believe people should be made aware of how their data is being used” — so if you print and mail them a form, they’ll tell you what data they have on you.

“Educated consumers,” they said, “are better equipped to be effective, successful participants in a world that increasingly relies on the exchange of information to efficiently deliver the products and services consumers demand.”

You should hope to find a guess about your political views that’d be useful to those candidates — as well as categories derived from your purchasing data.

Experian told me they generate the data they have about you from a long list of sources, including public records and “historical catalog purchase information” — as well as calculating it from predictive models.

Epsilon

After entering your name and address, Epsilon will answer some of those identity-verification questions that quiz you about your old addresses and cars. If your identity can’t be verified with those, Epsilon will ask you to mail in a form.

Wait for Epsilon to mail you your data; it took about a week for me.

What You Might Get Back From Epsilon:

Epsilon has information on “demographics” and “lifestyle interests” — at the household level. It also includes a list of “household purchases.”

It also has data that political candidates use to target their Facebook ads, including Randy Bryce, a Wisconsin Democrat who’s seeking his party’s nomination to run for retiring Speaker Paul Ryan’s seat, and Rep. Tulsi Gabbard, D-Hawaii.

In my case, Epsilon knows I buy clothes, books and home office supplies, among other things — but isn’t any more specific. They didn’t tell me what political beliefs they believe I hold. The company didn’t respond to a request for comment.

Oracle

Oracle’s Data Cloud aggregates data about you from Oracle, but also so-called third party data from other companies.

Explore each tab, from “Basic Info” to “Hobbies & Interests” and “Partner Segments.”

Not fun scrolling through all those pages? I have 84 pages of four pieces of data each.

You can’t search. All the text is actually images of text. Oracle declined to say why it chose to make their site so hard to use.

What You Might Get Back From Oracle:

My Oracle profile includes nearly 1500 data points, covering all aspects of my life, from my age to my car to how old my children are to whether I buy eggs. These profiles can even say if you’re likely to dress your pet in a costume for Halloween. But many of them are off-base or contradictory.

Many companies in Oracle’s data, besides ALC Digital, offer guesses about my political views: Data from one company uploaded by AcquireWeb says that my political affiliations are as a Democrat and an Independent … but also that I’m a “Mild Republican.” Another company, an Oracle subsidiary called AddThis, says that I’m a “Liberal.” Cuebiq, which calls itself a “location intelligence” company, says I’m in a subset of “Democrats” called “Liberal Professions.”

If an advertiser wants to show an ad to Spring Break Enthusiasts, Oracle can enable that. I’m apparently a Spring Break Enthusiast. Do I buy eggs? I sure do. Data on Oracle’s site associated with AcquireWeb says I’m a cat owner …

But it also “knows” I’m a dog owner, which I’m not.

Al Gadbut, the CEO of AcquireWeb, explained that the guesses associated with his company weren’t based on my personal data, but rather the tendencies of people in my geographical area — hence the seemingly contradictory political guesses. He said his firm doesn’t generate the data, but rather uploaded it on behalf of other companies. Cuebiq’s guess was a “probabilistic inference” they drew from location data submitted to them by some app on my phone. Valentina Marastoni-Bieser, Cuebiq’s senior vice president of marketing, wouldn’t tell me which app it was, though.

Data for sale here includes a long list what TV shows I — supposedly — watch.

But it’s not all wrong. AddThis can tell that I’m “Young & Hip.”

Takeaways:

The above list is just a sampling of the firms that collect your data and try to draw conclusions about who you are — not just sites you visit like Facebook and controversial firms like Cambridge Analytica.

You can make some guesses as to where this data comes from — especially the more granular consumer data from Oracle. For each data point, it’s worth considering: Who’d be in a position to sell a list of what TV shows I watch, or, at least, a list of what TV shows people demographically like me watch? Who’d be in a position to sell a list of what groceries I, or people similar to me in my area, buy? Some of those companies — companies who you’re likely paying, and for whom the internet adage that “if you’re not paying, you’re the product” doesn’t hold — are likely selling data about you without your knowledge. Other data points, like the location data used by Cuebiq, can come from any number of apps or websites, so it may be difficult to figure out exactly which one has passed it on.

Companies like Google and Facebook often say that they’ll let you “correct” the data that they hold on you — tacitly acknowledgingly that they sometimes get it wrong. But if receiving relevant ads is not important to you, they’ll let you opt-out entirely — or, presumably, “correct” your data to something false.

An upcoming European Union rule called the General Data Protection Regulation portends a dramatic change to how data is collected and used on the web — if only for Europeans. No such law seems likely to be passed in the U.S. in the near future.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

What if a web browser came with ad-blocking software already built in? If that's what you seek, then the new Brave web browser is worth consideration. According to its website:

"Brave blocks ads and trackers by default so you browse faster and safer. You can add ad blocking extensions to your existing browser, but it’s complicated and they often conflict with one another because browser companies don't test them. Worse, the leading ad blockers still allow some ads and all trackers."

Other benefits of this new, open-source browser:

"Brave loads major news sites 2 to 8 times faster than Chrome and Safari on mobile. And Brave is 2 times faster than Chrome on desktop."

You can read details about speed tests at the Brave site. Reportedly, this new browser already has about 2 million users. Brave was started by Brendan Eich, creator of JavaScript programming language and former CEO of Mozilla. So, he knows what he is doing.

"... give cryptocurrency-like payment tokens to anyone using the ad-blocking web browser, a move that won't let you line your own pockets but that will make it easier to fund the websites you visit. Brave developed the Basic Attention Token (BAT) as an alternative to regular money for the payments that flow from advertiser to website publishers. Brave plans to use BAT more broadly, though, for example also sending a portion of advertising revenue to you if you're using Brave and letting you spend BAT for premium content like news articles that otherwise would be behind a subscription paywall.

Most of that is in the future, though. Today, Brave can send BAT to website publishers, YouTubers and Twitch videogame streamers, all of whom can convert that BAT into ordinary money once they're verified. You can buy BAT on your own, but Brave has given away millions of dollars' worth through a few promotions. The next phase of the plan, though, is just to automatically lavish BAT on anyone using Brave, so you won't have to fret that you missed a promotional giveaway... The BAT giveaway plan is an important new phase in Brave's effort to salvage what's good about advertising on the internet -- free access to useful or entertaining services like Facebook, Google search and YouTube -- without downsides like privacy invasion and the sorts of political manipulations that Facebook partner Cambridge Analytica tried to enable."

To summarize, Brave will use block-chain as a measurement tool; not as real money. Smart. Plus, Brave pursues a new business model where advertisers can still get paid, browser users get paid, and most importantly: consumers don't have to divulge massive amounts of sensitive, personal information in order to view content. (Facebook and Google executives: are you paying attention?) This seems like a far better balance of privacy versus tracking for advertising.

Skeptical? CNet also reported that Brave started:

"... in 2017 with an initial coin offering (ICO). Enough people were convinced of BAT's value that they funded Brave by buying $36 million worth of BAT in about 30 seconds. About 300 million of the tokens are reserved for a "user growth pool" to attract people to Brave and its BAT-based payment system for online ads. That's the source of the supply Brave plans to release to Brave users.

Today, more than 12,000 publishers have verified themselves for BAT payments, the company said. That includes more than 3,300 websites, 8,800 YouTube creators and nearly 350 people streaming video games on Amazon's Twitch site. Notable verified media sites include The Washington Post, the Guardian, and Dow Jones Media Group, a Dow Jones subsidiary that operates Barron's and MarketWatch."

"... will provide access to premium content to a limited number of users who download the Brave browser on a first-come, first-serve basis. The available content set features full access to Barrons.com or a premium MarketWatch newsletter..."

To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystems, Certegy, and TeleCheck - the three major check verification companies.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

Recently, I saw the trashcan below in a CVS Drugstore on Harvard Street in Brookline, a suburb of Boston. Similar warnings should be any all stores where sensitive prescription and payment data is printed on receipts:

"The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers... The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method."

The Samsung Galaxy S8 runs the Android operating system, claims a talk time of up to 30 hours, has a screen optimized for virtual reality (VR) apps, and features Bixby, an "... intelligent interface that is built into the Galaxy S8. With every interaction, Bixby can learn, evolve and adapt to you. Whether it's through touch, type or voice, Bixby will seamlessly help you get things done. (Voice coming soon)"

The CCC report also explained:

"Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC."

Some consumers might conclude from the CCC report that the best defense against against iris hacks would be to stop posting selfies. This would be wrong to conclude, and an insufficient defense:

"The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed... Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So, more photos besides selfies could reveal your iris details. The CCC report also reminded consumers of the security issues with using fingerprints to protect their devices:

"CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor "Touch ID" on Apple’s iPhone. "The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," Dirk Engling remarked."

According to the inforgraphic below from Arxan, an app protection company, 75 percent of all cars shipped globally will have internet connectivity by 2020, and current connected cars have more than 100 million lines of code. Connected features are designed to improve safety, fuel efficiency, and overall convenience. These features range from Bluetooth, WiFi, cellular network connections, keyless entry systems, to deeper “cyberphysical” features like automated braking, and parking and lane assist.

More Features Means More Vulnerability However, with this increasing connectivity comes risks from malicious hacking. Today, connected cars have many attack points malicious hackers can exploit, including the OBD2 port used to connect third-party devices, and the software running on infotainment systems.

According to Arxan, some of the more vulnerable attack points are mobile apps that unlock vehicles and start a vehicle remotely, diagnostic devices, and insurance dongles, including the ones insurance companies give to monitor and reward safe drivers. These plug into the OBD2 port, but hackers could essentially access any embedded system in the car after lifting cryptographic keys, as the Arxan page on application protection for connected cars describes.

How To Protect Yourself According to the FBI and Department of Transportation in a public service announcement, it’s crucial that consumers following the following recommendations to best protect themselves:

Use caution when plugging insecure devices into the car’s ports and network

With the latest remote hack of a Tesla Model S, it seems that the response time between finding out about a breach and issuing a patch to correct it is thankfully getting shorter. As more automakers become tech-oriented like Tesla, they will also need to cooperate with OEMs to make sure the operating-system software in their vehicles is designed securely. It seems, this will take time, coordination with vendors, and money to bring these operations in house.

What do you do to protect your Internet-connected vehicle? What security tools and features would you prefer automakers and security vendors provide?

"LifeLock’s latest commercial shows folks happily sharing personal information on smart phones, laptops, and tablets, oblivious to LifeLock’s claim that “identity theft is one of the fastest-growing crimes in America.” That’s why you need LifeLock.. True, existing debit- and credit-card fraud, aka card theft, makes up the largest part of what is trumped up as identity fraud, and it jumped 46 percent last year. But consumer-protection laws and zero-liability policies limit the actual cost of that crime for most consumers to zero. Those who had out-of-pocket costs in 2013 lost only $108, on average. The incidence of new-account fraud... has fallen to historic lows. Your chance of getting hit last year was only one-half of 1 percent. Again, you’re generally not liable if a creditor lends money to a crook posing as you, but costs for consumers who were liable somehow averaged $449. LifeLock’s terms-and-conditions agreement requires that you also work to protect your personal information “at all times.” Why pay someone for DIY defense?"

Regular readers of this blog know that after my personal information was disclosed during a prior employer's data breach, I placed Fraud Alerts for free on my credit reports on my own. Later, I upgraded to Security Freezes for greater protection. The only cost I incurred for the Security Freezes was the $5 fee (which varies by state) each credit reporting agency charged. I monitor my credit card and bank statements monthly (for free) for fraudulent charges, and when they occur get them removed without incurring any costs. For me, DIY protection works.

Terms of its settlement agreement with the FTC require Lifelock to:

"... deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC. These funds, however, must be paid directly to and received by consumers, and may not be used for any administrative or legal costs associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and state attorneys general will be provided to the FTC for use in further consumer redress. In addition to the settlement’s monetary provisions, record-keeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order."

Consumers who did not participate in the class action can still sue the company. Congratulations to the FTC for the enforcement and holding Lifelock accountable.

"... from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements... from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem..."

The 2010 settlement resulted after FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement stopped the company and its executives from making such claims, and required the company to take stronger measures to protect customers' personal information. The 2010 settlement included a $12 million payment for consumer refunds.

"LifeLock has been up front and transparent that we have been in a dialogue with the Federal Trade Commission for more than 18 months. During this time, we have worked with agency staff and commissioners, striving to come to a satisfactory resolution. Despite our efforts, we were unable to do so. As a result of our unwillingness to agree to an unreasonable settlement, the agency has decided to litigate its claims. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court."

The legal motions were filed under seal. Lifelock is based in Tempe, Arizona. AZCentral reported:

"LifeLock shares fell more than 49 percent after the FTC accused the company of violating terms of a 2010 settlement by continuing to deceive customers and failing to protect their data... Their assurances did little to stave such a massive sell-off of shares. Because of the plunge, the New York Stock Exchange was twice forced to suspend trading of LifeLock as the share price dropped from $16.05 to close at $8.15."

"The bottom line: Protect yourself for less. Monitor your financial statements and credit reports for suspicious activity that can lead to identity theft. If your credit cards are lost or stolen, you don’t need LifeLock to notify your financial institutions to cancel and replace them. If your Social Security number is out there, we suggest that you put a security freeze on your credit reports at the big three credit bureaus–Equifax, Experian, and TransUnion. That will prevent creditors from accessing your file if a crook tries to open a new account in your name... But there is usually no charge if you’re already a victim of ID theft. Credit bureaus consider credit- and debit-card theft as identity theft, so it should be easier for you to get free freezes."

Past pitch persons for Lifelock have included former prosecutor and New York City Mayor Rudy Giuliani, and radio personality Rush Limbaugh.

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

"... most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission."

MIDAS uses real-time text messages and emails to alert users when a healthcare transaction is submitted to their health plan. The alert links to a secure wesite where the member can validate the transaction, or flag it as “suspicious.” Then, MIDAS resolution experts follow up on the flagged transactions.

The MIDAS website lists several benefits:

Lowers health care costs

Detects health care fraud and medical identity theft

Engages patients for Affordable Care Act (ACA) compliance

Uses proven fraud reduction strategies

Simple yet powerful

Accessible from anywhere with an Internet connection

Service is backed by experienced identity protection experts

Bob Gregg, CEO of ID Experts said:

“Consumers have easy access to their personal financial data yet their medical care transactions are a closed door... MIDAS will change this by bringing transparency to healthcare transactions, engaging members as the first line of defense in protecting their identities and uniting health plans with their members to combat fraud.”

Most credit-monitoring solutions focus only upon financial transactions, and do not cover nor monitor for medical identity theft and fraud, and

MIDAS can help more patients review their medical transactions; something experts advise patients do to, just like financial institutions and credit reporting agencies advise consumers to review their accounts and credit reports for fraud.

Note: this is not an endorsement. It is simply a news article to inform readers of a new service. I do not have any arrangements or relationship with ID Experts. If you subscribe to MIDAS, please share you opinions and experience below.

If you have used Facebook for several years, then you have a lot of posts in your timeline. A lot. With the new Facebook Search feature, those old posts are searchable. And many of those old posts probably have weak privacy settings: the "Public" or anyone can search and view them. You probably don't want those old posts and photos of you high or drinking (to excess) to be searchable. It could cost you a job, result in a rejected college application, or affect your credit-worthiness.

What to do? You could spend the next week 24/7 non-stop deleting all of your old posts and/or changing the privacy setting on each old post to "Friends Only." A faster method to protect your privacy is to use Facebook's "Limit Past Posts" privacy setting. I'll bt you didn't know that this security setting exists, since Facebook makes its interface difficult to find and use for security settings.

Here is how to find and use the "Limit Past Posts" security setting:

Sign into Facebook and click on the Security Shortcut icon in the upper right corner. That's the thingy with the lock icon.

A drop-down menu will appear. Select "See More Settings"

On the next page, select the "Limit Past Posts" link

The page will expand to reveal two links. Select the "Learn about changing old posts" if you want to learn more about this security feature. Otherwise, select the the "Limit Old Posts" button.

Facebook will try to dissuade you from making this security change by, a) asking if you are sure you want to proceed, and b) telling you that this change cannot be undone. Yes, you are sure. Proceed and select the "Confirm" button.

Your online activity is tracked by a wide variety of technologies, not just web sites. For example, all of the major search engines (e.g., Google, Bing, Yahoo) track your search history. If you use one of the major search engines, then you will need to opt-out of the search engine history tracking at each search engine. This Mashable article contains instructions plus links to the opt-out mechanisms for each search engine.

Me? I use the DuckDuckGo search engine instead. There is nothing to opt-out of because DuckDuckGo doesn't collect anything.

Simiilarly, the social networking websites you use track your online activity and will use your name and photo in their online advertisements if you let them. To avoid this, you'll need to opt-out of the advertisement features at each social networking website you use. For example: sign in to Twitter and navigate to Settings, and then Security and Privacy. On that page, uncheck the boxes next to Promoted Content and Tweet Location. For Facebook, navigate to General Account Settings, and then to Ads. Clcik Edit and select "No one" for Third Party Sites. Click Edit and select "No one" for "Ads and Friends."

This Masahable article contains instructions for how to opt out of advertisements on Google services.

The web browser you use also tracks your online activity. So, the steps you must take to deactivate HTTP cookie tracking depends upon which web browser you use. According to Masahable, to opt out of cookie tracking Mozilla Firefox users must:

"In Firefox's Privacy panel, click on the area next to Firefox will: and select Use custom settings for history. Once selected, remove the checkmark in the Accept Cookies box."

See the Masahable article for instructons for Google Chrome users. I also use the Better Privacy add-on for Firefox to regularly delete HTTP and other Locally Shared Objects (LSO) cookies.

Also, there may be settings on your mobile device to turn off any sharing with your mobile device manaufacturer, mobile operating system manufacturer, and/or telecommunications provider. None of the above methods will stop sharing of your purchases with your bank, credit-card, debit-card, and/or prepaid card provider.

Last week, a reader suggested the DuckDuckGo.com search engine. Like most people, through the years I used a variety of search engines: first Yahoo, then Alta Vista, Google, and most recently Bing. DuckDuckGo has a very simple, easy-to-read privacy policy:

"DuckDuckGo does not collect or share personal information. That is our privacy policy in a nutshell..."

The DuckDuckGo privacy policy also explains why you should care about what other search engines do:

"... when you search for something private, you are sharing that private search not only with your search engine, but also with all the sites that you clicked on (for that search). In addition, when you visit any site, your computer automatically sends information about it to that site..."

Other search engines collect your search terms. And, the list of information your computer sends to them includes its operating system brand and version, screen size and resolution, your ISP, and your IP address. And that information may also be shared with affiliates or partner companies. DuckDuckGo.com doesn't do any of this.

"...[DuckDuckGo]t also doesn't track users: no personal information is collected, shared, or used to customize individual users' search results. So, anyone searching on a particular term in DuckDuckGo will get the same results... DuckDuckGo also offers benefits including the capability to use shortcuts to directly search many websites..."

I ran several searches to see what DuckDuckGo retrieves. Its search results don't seem to missing any pages other search engines deliver. Besides the privacy benefits, I like the cleanness and lack of clutter at DuckDuckGo. A long time ago, the Google search engine used to be this way.

Where I live and work, it seems that most people have smart phones, and love to use them. However, I am getting the impression that many, if not most, have no idea how to protect themselves and their sensitive personal data. While discussing good data security habits, I have been asked the following question by several smart phone users:

Where do I find anti-virus software for my smart phone?

While most people understand the need and take action to protect their desktop and laptop computers with anti-virus software, it doesn't seem to translate to mobile devices. Some feel that their smart phones are immune to computer viruses and malware. Actually, experts warn that malware can infect your smart phone in 4 ways: text messages, email, Bluetooth, and web surfacing. So, I spent a few minutes the other day showing a person how to find anti-virus apps for her new Samsung galaxy III smartphone.

To find anti-virus apps for your smart phone, start with the app store your device is configured with. You can also visit Androidapps.com and select:

Android App Directory > Tools > Security

Next, you'll see a list of familiar brands of anti-virus software providers. Kaspersky, McAfee, Norton, and others. Some brands offer bundle opportunities to protect several devices you might have at home: laptops, tables, and smart phones; or devices for several family members. Shop around, read the service agreements, and shop wisely.

Got an iPhone or iPad? Start shopping here for data security apps. For users with mobilde devices that run Windows® or other operating systems, start shopping here.

I wish that the industry called the devices "handheld computers" or "pocket computers" because that is what the devices are.The phrase "smart phone" seems antiquated for mobile devices that do so much more than make and receive telephone calls.

80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information

About 80% of respondents state that it is important to control their data collected and archived by data brokers

76% of consumers feel that it is important to be notified about information that data brokers collect

80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

A recent survey by the Pew Research Center investigated how mobile device users manage their privacy. The survey included both cell phone users and smart phone users. Key findings:

"54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it; 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share. Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

The Pew survey found that almost one-third, 31% of all smart phone users surveyed, have lost their device or had it stolen. Among users 18 to 24 years of age, about 45% had either lost their device or had it stolen. The survey authors concluded:

"Smartphone owners are generally more active in managing their mobile data, but also experience greater exposure to privacy intrusions"

The table below highlights this conclusion:

Activity

Smart Phone Users

Cell Phone Users

Back up phone contents

59%

21%

Cleared browsing or search history

50%

14%

Turned off location tracking

30%

7%

Experienced lost or stolen device

33%

29%

Somebody accessed device in a way that felt like a privacy intrustion

15%

8%

Pew conducted the nationwide survey, in both English and Spanish, of 2,254 adults (age 18 and older) during March 15 to April 3, 2012. Download the Pew report: "Privacy and Data management on Mobile Devices."

Everybody loves getting the latest smart phone. What to do with your old one? Perhaps, you plan to sell it on eBay or donate it to a charity. Whatever you decide, be sure to remove all sensitive data from it. Otherwise, you could create an identity theft and fraud problem for yourself.

The sensitive data on your smart phone isn't just your list of contacts and their phone numbers. The sensitive data also includes your passwords, email, browser history, calendar, and photos -- the things that document when and where you go both online and in the real world. The sensitivity of both your online passwords and browser history should be obvious. With access to your email, identity criminals could hack into your financial accounts and reset your online passwords. That would be an identity-theft disaster.

How to safely dispose of an old smart phone? Before selling or donating an old smart phone, security experts advise consumers to:

Remove the SIM card

Remove any memory cards

Run a factory reset to delete sensitivie data. To do this, check the (print or online) manual for your smart phone.

But that may not be enough. Accessdata, a computer forensics firm, performed an analysis last year of several popular smart phones available on the resale market. Almost all had sensitive data from the prior owners. As Dark Reading reported:

"The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero... Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations... Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume. "

In this case, the only secure option is to go old-school: wrap it in cloth and then take a hammer to your old smart phone -- even the older clamshell types. Don't try to resell or donate it. Most consumers don't have access to industrial-strength hard-drive shredding services.

What did you do with your old smart phone? How did you remove any sensitive data from it? Or are your old devices gathering dust in a drawer or closet at home?